Home > Others

Differences between Nt * and ZW *

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Today, when I was reading untitled ented Windows 2000 secrets, I had a long history of reading the differences between Nt * and ZW *. I did not quite understand it. Later I checked it online and now I know it clearly.

The original text is as follows:

"A set of entry points parallel to the executive's system services of the execution body.Code() Calls a zwxxx entry point to obtain the corresponding system service, but when using the ZW * () function, the caller's access permissions and parameter validity are not checked, besides, the call will not switch the previous mode to the user mode"

"Although any group of functions can be called in kernel mode, if ZW * () function is used to replace Nt * () function, you can switch the previous mode (here the previous mode refers to the request sending mode) to the kernel mode"

With livekd, let's take a look at the differences between Nt * () and ZW:

1. Nt * () and ZW * () in Ntdll. dll *()

Kd> u ntdll! Ntcreatefile L4
Ntdll! Ntcreatefile:
7c92d682 b825000000 mov eax, 25 h
7c92d687 ba0003fe7f mov edX, offset shareduserdata! Systemcallstub (7ffe0
300)
7c92d68c ff12 call dword ptr [edX]
7c92d68e c22c00 RET 2ch

--------------------------------------------------------------------------------

Kd> u ntdll! Zwcreatefile L4
Ntdll! Ntcreatefile:
7c92d682 b825000000 mov eax, 25 h
7c92d687 ba0003fe7f mov edX, offset shareduserdata! Systemcallstub (7ffe0
300)
7c92d68c ff12 call dword ptr [edX]
7c92d68e c22c00 RET 2ch

Through the above code, we can easily find that in Ntdll, NT * () and ZW * () are exactly the same.

2. Nt * () and ZW * () in ntoskrnl.exe *()

Kd> u nt! Zwcreatefile L14
NT! Zwcreatefile:
808059a0 b825000000 mov eax, 25 h
808059a5 8d542404 Lea edX, [esp + 4]
808059a9 9C pushfd
808059aa 6a08 push 8
808059ac e8801c0000 call nt! Kisystemservice (80807631)
808059b1 c22c00 RET 2ch

-------------------------------------------------------------------------------

Kd> u nt! Ntcreatefile L16
NT! Ntcreatefile:
80898bf8 8bff mov EDI, EDI
80898bfa 55 push EBP
80898bfb 8bec mov EBP, ESP
80898bfd 33c0 XOR eax, eax
80898bff 50 push eax
80898c00 50 push eax
80898c01 50 push eax
80898c02 ff7530 push dword ptr [EBP + 30 h]
80898c05 ff752c push dword ptr [EBP + 2ch]
80898c08 ff7528 push dword ptr [EBP + 28 h]
80898c0b ff7524 push dword ptr [EBP + 24 h]
80898c0e ff7520 push dword ptr [EBP + 20 H]
80898c11 ff751c push dword ptr [EBP + 1ch]
80898c14 ff7518 push dword ptr [EBP + 18 h]
80898c17 ff7514 push dword ptr [EBP + 14 H]
80898c1a ff7510 push dword ptr [EBP + 10 h]
80898c1d ff750c push dword ptr [EBP + 0ch]
80898c20 ff7508 push dword ptr [EBP + 8]
80898c23 e87bfeffff call nt! Iocreatefile (80898aa3)
80898c28 5d pop EBP
80898c29 c22c00 RET 2ch

When we see the authorization code, we will find the difference between Nt * () and ZW * () in ntoskrnl.exe.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
powershell compare two files and output differences compare two excel files and highlight differences apple watch series 1 and 2 differences time and date between difference between couchbase and couchdb difference between services and microservices difference between asp and php

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More